This site requires JavaScript to be enabled

Data Storage Policy

535 views

3.0 - Updated on 2024-03-05 by Autum Phillips

2.0 - Updated on 2024-03-05 by Autum Phillips

1.0 - Authored on 2023-10-11 by Keigan Smyczek

 

Data Storage Policy

Policy Information

Issuing Office

Information Services

 

Affected Parties

All University Faculty and Staff

 

Policy Language

Access to information system media is permitted only for authorized users.

 

Policy Rationale

The purpose of this policy is to provide guidance for properly handling Liberty University’s data and information. Most compromises of data privacy occur due to improper handling of data by trusted internal resources.

Data storage practices must ensure that data is readily available to authorized users and that archives are both created and accessible in case of need. Information system media, both paper and digital should be protected (i.e., physically controlled and securely stored).

 

Definition of Glossary Terms

Cardholder Data (CHD) - For the purpose of this policy, CHD includes the primary account number (PAN) as well as any sensitive authentication data (SAN). Combined, these include, but are not limited to:

· Credit card number

· Card validation codes/values

· Full track data (from magnetic strip or equivalent in a chip)

· PINs

· PIN blocks

Data: A subset of information in an electronic format that allows it to be retrieved or transmitted.

Data at rest: data that has reached a destination and is not being accessed or used.

Cryptographic mechanism: Encryption tools used for protecting confidentiality, integrity, authenticity, and non-repudiation of information.

Encryption: Process of converting information into an unintelligible form except to holders of a specific cryptographic key.

Information: Any communication or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphical, narrative, or audiovisual.

Media: Anything containing private information entrusted to Liberty, including, but not limited to, PII, GLBA data, FERPA data, GDPR data.

PCI DSS: Payment Card Industry Data Security Standard - set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

PII: Personal Identifiable Information - information that directly identifies an individual (e.g., name, address, social security number, telephone number, email address, etc.)

HIPAA: Health Insurance Portability and Accountability Act is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

GLBA: Gramm-Leach-Bliley Act is a federal law enacted to control the ways financial institutions deal with the non-public information of individuals.

FERPA: Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. 

Directory Information: Information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a student’s prior written consent.

Single Sign-On: Authentication scheme that allows a user to log in with a single ID.

 

Procedural Information

Procedures

Access to information system media is permitted only for authorized users.

Media containing Sensitive or Highly Sensitive data or information that is transported outside of University-controlled storage areas needs to be strictly monitored to control access and to form accountability.

Highly Sensitive information includes data in scope for PII, GLBA, and FERPA.

For further details on data classification levels and examples, refer to the Data Classification Policy.

Approved cryptographic mechanisms or other alternative physical safeguards should be implemented/used:

· To protect the confidentiality of information stored on digital media during transport.

· During transmission in order to prevent unauthorized disclosure of information.

· To protect the confidentiality of Sensitive and Highly Sensitive information at rest.

Access to university information systems, equipment and the respective operating environments is limited to authorized individuals.

Keys, locks, combinations, card readers, and other devices that allow entry into areas where Sensitive or Highly Sensitive information is stored are to be controlled and monitored.

 

Unsupported Data:

Credit Card Information/Cardholder data – Electronic credit card information/cardholder data should NEVER be stored on any Information System.  If found in LU system, follow disposal procedure found in PCI Data Retention and Disposal Policy

HIPAA information - HIPAA information/patient data should NEVER be stored on any Information System or University asset. If an individual or department believes they are in possession of HIPAA data, they need to contact General Counsel so that legal can review the data.

 

Data Centers and Server Rooms

Protect and monitor the physical facility where data and information are stored and support infrastructure for those information systems.

Any visitors to locations where data is housed will be escorted and their activity monitored.

Audit logs will keep record of physical access to areas where data or information is stored or handled.

Locations where data is stored, both on-site and remote, must provide access controls and protections in order to reduce the risk of loss or damage to an acceptable level.

 

Website Content

No usernames, email addresses, personal phone numbers, or budget codes may appear publicly on any Liberty University website unless a Policy Exceptions Request has been submitted and approved by IT Security. This contact information can be displayed on a department website without prior approval if it is behind Single Sign-On (SSO) login and not publicly accessible.

All web content authors are responsible for the information housed on their respective webpages and should be reviewing each page for sensitive information on a regular basis.

Acceptable employee information may include the name and position of employee, to be publicly accessible.

A department phone number, email address and location may be listed publicly as well.

Any discovered contact information in violation of this policy will be required to be removed or moved behind SSO.

Restricted Information- No passwords, social security numbers, LUIDs, or personal addresses may appear on any Liberty University website for any reason.

 

Initial Approval Date

4/03/2019

 

Date of Last Review

3/2023

 

Date for Review

3/2024

 

Revised by Autum Phillips
Last modified 1 months ago